Get started today—Download the FREE template and customize it to fit the needs of your organization.
An employee’s personal data may include their social security number, emergency contact information, address, home phone number, interview notes, publicly available information, and other personal information collected by their employer and related parties.
These policies set privacy expectations for employees, notify them of their rights regarding the information collected, and inform them of the processes they can take to access and correct their personal information.
Employers create these policies to comply with all applicable workplace privacy regulations. For example, businesses that are subject to the General Data Protection Regulation (GDPR) must have a policy regarding the collection, use, and disclosure of personal information.
Employee monitoring is an excellent tool for understanding how your workforce operates.
Unfortunately a history of overly-invasive deployments has caused serious concerns among employees, like:
Is my employer spying on me?
They’re just doing this to find an excuse to fire me
If they’re monitoring what I do at work, they obviously don’t trust me
This is not what you want your employees to feel.
In this video I’m going to guide you through the best practices for monitoring employees so you can avoid these mistakes and concerns from your employees
Hello and welcome to the CurrentWare YouTube channel.
My name is Neel Lukka and I am the managing director here at CurrentWare.
After watching this video you can learn more about this topic by reading our new white paper “Employee Monitoring: Best practices for balancing productivity, security and privacy”
You can find the link for that in the description below.
Before we start, I just want to give a quick disclaimer here.
I’m not a lawyer and this is not legal advice. These tips are for informational purposes only. If you want to use employee monitoring software in your company be sure to consult with a legal professional first.
Alright, let’s jump in
First up is the very best tip I can give you.
If you want to succeed, you have to let your employees know that they are being monitored.
Employees that do not know if they are being monitored, why they are being monitored, and how they are being monitored are more likely to have negative reactions to being monitored,
Having higher rates of stress and anxiety
Being less likely to accept being monitored
And, ironically, becoming less productive
That’s not to say that transparency is going to negate each and every concern that your employees may have.
But if you start with transparency from the very beginning you have a far better chance of proving to your employees that these tools aren’t being used to spy on them.
By being transparent you’re also giving the chance to hear about their concerns from the start. This lets you work with them to make an employee monitoring strategy that is fair and minimally invasive.
Here are 4 transparency boosting tips:
Involve a representative sample of employees when you start planning your goals and the metrics you want to capture
Tell your employees what metrics are being captured, how they’ll be used, and what is being used to capture them
Have your staff read and sign policies that disclose your intended use of the employee monitoring software
and finally, give them access to their own data so they can see exactly what’s being captured. They can even use this data to manage their own productivity, which is a major bonus
The second tip I have for you is don’t use employee monitoring to micromanage
One of the reasons that monitoring can be perceived negatively is that it feels like it’s being used to punish employees. They worry that it’s the software equivalent of a micromanaging boss staring over their shoulder while they work, just waiting for them to slip up.
Some employers do monitor internet use to make sure employees aren’t getting carried away, but did you know that so-called “unproductive” internet browsing has actually been found to have a positive impact on productivity?
It’s true! But only if that browsing doesn’t take up more than 12% of their work time.
Employees feel far better about being monitored when they’re given the autonomy to self-manage first. Managers can step in if things are getting carried away or if their employees are visiting clearly inappropriate websites.
The third and final tip I have for you today is to not monitor more than you have to.
Think about it this way – if I told you that I wanted to make sure that employee’s weren’t visiting not safe for work websites, you’d think I was crazy for asking for a direct feed into their webcams.
The bottom line is this:
If you can meet your company’s goals with a less invasive method of monitoring, do it that way.
For example, if you want some backup for your acceptable use policies you can use internet monitoring software to see what sites are being visited.
But there’s no need to track individual keystrokes
Or maybe you want to protect data from being stolen. You can monitor the flow of data without recording audio clips of private conversations
Finally, maybe you want to track the work habits of employees that are working remotely or from home. Give them a company-provided device rather than monitoring their personal computers
That’s it for now.
If you want learn more, check out our new white paper “Employee Monitoring: Best practices for balancing productivity, security and privacy”
You can find the link for that in the description below.
If you’d like to try out employee monitoring in your company, visit CurrentWare.com/Download for a free trial of BrowseReporter, our computer monitoring software.
And as always stay tuned to our YouTube channel for more videos about employee monitoring, cyber security, and CurrentWare’s workforce management software.
A company that wants to monitor employee computer activity will use similar policies and procedures to notify its employees that employee monitoring software is being used.
An employee monitoring policy (workplace monitoring policy) will also disclose what data is being collected by the software, in what context the use or disclosure of the collected data will occur, the security measures that are in place to protect the data, and the business purposes for the data.
How to Make a Workplace Monitoring Policy [Free Template]
What is Personal Information?
Disclosing the means that your company uses to collect employee personal data is just as important as disclosing the information that will be collected.
Once that data is collected it must also be securely stored and protected against unauthorized use or disclosure. The cybersecurity practices your company takes to protect employee data must be proportional to the risks associated with the misuse of that data.
Ways that data can be collected include
Depending on the privacy legislation in your company’s (or employee’s) jurisdiction you may need to create multiple unique policies. Data privacy legislation such as the EU’s GDPR and The California Consumer Privacy Act (CCPA) have their own privacy practices that must be adhered to by your company.
Generally speaking a company should only keep personal data for as long as they have legitimate business purposes for it. Once the data is no longer required it should be disposed of per applicable legislative requirements.
In your policy your company should disclose how long the collection, use, and disclosure of data will occur and the circumstances that will lead to its disposal.
Employees should be provided access to their own data where feasible or otherwise required of your company. They should be provided with a point of contact that can assist them with accessing the data and making any necessary corrections.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
An employee monitoring policy (workplace surveillance policy) is critical documentation if you will be monitoring the use of company-owned equipment, devices, computers, networks, applications, software, and similar assets.
We’ve created an employee monitoring policy template (workplace surveillance policy template) that you can download for free and customize to fit the needs of your company. This template discloses your intent to monitor employees in the workplace, the types of monitoring that will be used by your company, and the privacy expectations that your employees should have.
GitLab, Inc. is a global company with its headquarters in the U.S. This means that personal information may be used, processed, and transferred to the United States and other countries or territories and those countries or territories may not offer the same level of data protection as the country where you reside, including the European Economic Area. However, GitLab will ensure that appropriate or suitable safeguards are in place to protect your personal information and that transfer of your personal information complies with applicable data protection laws. Where required by applicable data protection laws, GitLab has ensured that service providers (including other GitLab affiliates) sign standard contractual clauses as approved by the European Commission or other supervisory authority with jurisdiction over the relevant GitLab data exporter (which typically will be your employer).
Who is collecting your personal data (who is the data controller)?
The GitLab entity that is a party to your employment contract or contract for services or otherwise employs you will be the data controller of your personal data. The following are the GitLab entities that act as controller: GitLab, Inc., GitLab, LLC., GitLab BV, GitLab GmbH, GitLab, LTD, GitLab PTY Ltd, GitLab Canada Corp, GitLab IT BV, and other GitLab subsidiaries throughout the globe (collectively “GitLab”).
GitLab affiliates may act as processors on behalf of other GitLab affiliates and/ or controllers. Furthermore, GitLab, its affiliates and subsidiaries participate in a group-wide IT system in order to harmonize GitLab’s IT infrastructure and its use (the “System”). The System also may hold data on all employees, workers, individual contractors and contingent workers (“Staff”). Insofar the System serves to improve and harmonize most of the human resources (“HR”) processes within GitLab. GitLab, Inc. in the US is responsible for the System.
Applicability of Other GitLab Privacy Policies
Third Party Services
In some cases, you may provide personal information to third parties that GitLab works with or that provide services to GitLab. This includes, those parties identified in the Tech Stack Application YAML (“Third Parties”).
What Personal Information Do We Collect?
We collect and maintain different types of personal information about you in accordance with applicable law. This includes the following:
Where permitted by law and applicable we may collect the results of credit and criminal background checks, screening, health certifications, driving license number, vehicle registration, and driving history.
For specifics about what information is collected by third party applications, please refer to the Tech Stack Applications.
How is Data Collected?
Generally, we collect personal information directly from you in circumstances where you provide personal information (during the onboarding process, for example). However, in some instances, the personal information we collect has been inferred about you based on other information you provide us, through your interactions with us, or from third parties. When we collect your personal information from third parties it is either because you have given us express consent to do so, your consent was implied by your actions (e.g., your use of a Third-Party employee service made available to you by us), or because you provided explicit consent to the Third-Party to provide the personal information to us. Where permitted or required by applicable law or regulatory requirements, we may collect personal information about you without your knowledge or consent.
We reserve the right to monitor the use of our equipment, devices, computers, network, applications, software, and similar assets and resources for the safety and protection of employees and intellectual property. In the event such monitoring occurs, it may result in the collection of personal information about you. If required by applicable law, we will notify you of such monitoring and obtain your consent.
How We Process and Use Your Personal Information
We may collect and process your personal information in the Systems for various purposes subject to local laws and any applicable collective bargaining agreements and works council agreements, including:
Additional information regarding specific processing of personal data may be notified to you by locally.
Legal Basis for processing
Where applicable data protection laws require us to process your personal data on the basis of a specific lawful justification, we generally process your personal data under one of the following bases:
Compliance with a legal obligation to which GitLab is subject; Entering into at-will employment (for US only) or performance under an employment contract with GitLab; For GitLab’s legitimate interests being those purposes described in the section above headed “How We Process and Use Your Personal Information”; Your consent where required and a legitimate legal basis under applicable local laws.
We may on occasion process your personal data for the purpose of the legitimate interests of a Third-Party where this is not overridden by your interests.
Processing of Special Categories of Personal Data
“Special Categories of Personal Data” includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, as well as genetic and biometric data.
From time to time you may provide us with information which constitutes Special Categories of Personal Data or information from which Special Categories of Personal Data may be deduced. In such cases, where required by law, we will obtain your express written consent to our processing of Special Categories of Personal Data. If separate consent is not required by local law, by providing this information to GitLab, you give your freely given, informed, explicit consent for us to process those Special Categories of Personal Data for the purposes set out in How We Process and Use Your Personal Information section above.
You may withdraw your consent at any time by contacting GitLab’s People Success Group or DPO. Where you have withdrawn consent but GitLab retains the personal data we will only continue to process that Special Category Personal Data where necessary for those purposes where we have another appropriate legal basis such as processing necessary to comply with legal obligations related to employment or social security. However, this may mean that we cannot (for example) administer certain benefits or contact your next-of-kin in an emergency or provide support to you above and beyond our legal obligations. You give your knowledgeable, freely given, express consent to GitLab for GitLab to use, disclose and otherwise process any personal health information about you that is provided to GitLab by any of your personal health information custodians, for the purposes set out in the How We Process and Use Your Personal Information section above.
Sharing Personal Information
Your personal information may be shared, including to our affiliates, subsidiaries, and other third parties, as follows:
Access to Personal Information We Collect
To the extent access is required by applicable law, you can ask to see the personal information that we hold about you. If you want to review, verify or correct your personal information, please submit a request to GitLab’s People Success Group or DPO.
When requesting access to your personal information, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal information that we hold about you. We may, in limited circumstances, charge you a fee to access your personal information; however, we will advise you of any fee in advance.
We reserve the right not to grant access to personal information that we hold about you if access is not required by applicable law. There are also instances where applicable law or regulatory requirements allow or require us to refuse to provide some or all of the personal information that we hold about you. In addition, the personal information may have been destroyed, erased or made anonymous. In the event that we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Correction of Collected Personal Information
We endeavor to ensure that personal information in our possession is accurate, current and complete. If an individual believes that the personal information about him or her is incorrect, incomplete or outdated, he or she may request the revision or correction of that information. We reserve the right not to change any personal information we consider to be accurate or if such correction is not required by applicable law.
Retention of Collected Information
Except as otherwise permitted or required by applicable law or regulatory requirements, we may retain your personal information only for as long as we believe it is necessary to fulfill the purposes for which the personal information was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations) and for IT archival purposes.
Personal data for data subjects in the European Union is by default erased by GitLab after termination of your employment, with the exception of certain types of personal data, which may be stored for an extended period of time due to administrative purposes, e.g. for payment of retirement income or for giving references to other employers, or where such personal data must be retained to comply with regulatory requirements.
You may request that we delete the personal information about you that we hold, provided that we reserve the right not to grant such request if we are not required to delete personal information under applicable law. There are instances where applicable law or regulatory requirements allow or require us to refuse to delete this personal information. In the event that we cannot delete your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Requests to Access, Delete, or Correct Information
Please send requests to access, delete, or correct your personal information to your DPO.
Any request by you to us to delete your personal information will not result in deletion of any information submitted by you to a Third-Party provider. If you require the Third-Party to delete any of your personal information, you must contact the Third-Party directly to request such deletion.
As stated previously, there are instances where applicable law or regulatory requirements allow or require us to refuse to delete this personal information. In the event that we cannot delete your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
If you have questions or concerns regarding the handling of your personal information, please contact GitLab’s People Success Group or DPO. Alternatively, you may report concerns or complaints to the Legal Department.
You may also anonymously report violations of policy or law using our Third-Party managed Compliance & Fraud Prevention Hotline. You can access the Hotline by going to How to Contact GitLab’s 24 Hour Hotline
Security of Collected Information
We are committed to protecting the security of the personal information collected, and we take reasonable physical, electronic, and administrative safeguards to help protect the information from unauthorized or inappropriate access or use.
Additional Rights You may also have the following additional rights, subject to certain exceptions and limitations as specified in applicable law:
Where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal information is processed by automatic means, to the extent provided under applicable law, you have the right to receive all such personal information which you have provided to GitLab in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible;
Right to restriction of processing
You have the right to restrict our processing of your personal information where:
To the extent required by applicable law, where personal information is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defense of legal claims.
Right to withdraw consent
Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time. You can do this by contacting GitLab’s People Success Group or DPO.
Right to object to processing justified on legitimate interest grounds
Where we are relying upon legitimate interest to process data, then you have the right to object to such processing, and we must stop such processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims. Normally, where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
You also have the right to lodge a complaint with a supervisory authority, in particular in your country of residence, if you consider that the processing of your personal data infringes this regulation.
If you will be using employee monitoring software to track computer activity in your company you can use a similar policy to disclose your intent to monitor, the types of monitoring conducted, and what privacy rights your employees have.
Want to start monitoring employee computer activity? Get started today with a FREE trial of BrowseReporter, CurrentWare’s employee monitoring software.
|__cfruid||session||Cloudflare sets this cookie to identify trusted web traffic.|
|cookielawinfo-checkbox-advertisement||1 year||Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .|
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
|JSESSIONID||session||The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.|
|LS_CSRF_TOKEN||session||Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.|
|OptanonConsent||1 year||OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.|
|__cf_bm||30 minutes||This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.|
|_zcsr_tmp||session||Zoho sets this cookie for the login function on the website.|
|_calendly_session||21 days||Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.|
|_gaexp||2 months 11 days 7 hours 3 minutes||Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.|
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_ga_GY6RPLBZG0||2 years||This cookie is installed by Google Analytics.|
|_gcl_au||3 months||Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|CONSENT||2 years||YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.|
|_opt_expid||past||Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.|
|IDE||1 year 24 days||Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.|
|NID||6 months||NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.|
|test_cookie||15 minutes||The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.|
|VISITOR_INFO1_LIVE||5 months 27 days||A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.|
|YSC||session||YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.|
|yt-remote-connected-devices||never||YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.|
|yt-remote-device-id||never||YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.|
|yt.innertube::nextId||never||This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.|
|yt.innertube::requests||never||This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.|
|_dc_gtm_UA-6494714-6||1 minute||No description|
|_gaexp_rc||past||No description available.|
|383aeadb58||session||No description available.|
|663a60c55d||session||No description available.|
|6e4b8efee4||session||No description available.|
|c72887300d||session||No description available.|
|cookielawinfo-checkbox-tracking||1 year||No description|
|crmcsr||session||No description available.|
|currentware-_zldp||2 years||No description|
|currentware-_zldt||1 day||No description|
|gaclientid||1 month||No description|
|gclid||1 month||No description|
|handl_ip||1 month||No description available.|
|handl_landing_page||1 month||No description available.|
|handl_original_ref||1 month||No description available.|
|handl_ref||1 month||No description available.|
|handl_ref_domain||1 month||No description|
|handl_url||1 month||No description available.|
|handl_url_base||1 month||No description|
|handlID||1 month||No description|
|HandLtestDomainNameServer||1 day||No description|
|isiframeenabled||1 day||No description available.|
|m||2 years||No description available.|
|organic_source||1 month||No description|
|organic_source_str||1 month||No description|
|traffic_source||1 month||No description available.|
|uesign||1 month||No description|
|user_agent||1 month||No description available.|
|ZCAMPAIGN_CSRF_TOKEN||session||No description available.|
|zld685336000000002056state||5 minutes||No description|